by Scott Lewis
Cell phone thefts are on the rise and will continue for the near future. In most cases, cell phone thieves are not after the data but after the actual phone. However, there has been a significant rise in identity theft due to stolen smartphones and the data contained on them. According to a Business Insider report, 44% of smartphone thefts were due to the owner leaving them in a public place, 14% were taken from a house or a car and 11% were due to pickpockets or street theft.
Some easy smartphone protections according to Ctia Everything Wireless.
• Be aware, know your surroundings and how you are using your smart phone. Do not carry it in your back pocket or loose fitting clothes.
• Lock it, set a strong password on your smart phone and change it often.
• Add apps that can track, lock, and erase personal information on your smartphone.
• Save it. Like your computer you should be backing up your smartphone and saving your pictures to a secondary media source.
• Insure it, just makes financially getting a replacement a little easier to swallow.
Using personal devices for business or what some people call BYOD, bring your own device, to the workplace. In some cases the development of a good BYOD policy can have some benefits such as improved moral in the form that employees like to select their own device type and manufacturer. There are also many challenges that come with BYOD such as ensuring that work data will not be mixed with personal data, verifying that non-employees or family members will not use the device and determining what happens if an employee is terminated or loses the device. These are all things that must be determined prior to initiating a BYOD policy, along with very tight written policies around confidentiality, intellectual right ownership and data destruction.
According to Computer Weekly, the ICO guidance recommends the following steps for BYOD companies:
• Determine which type of company data can be processed on personal devices
• How you are going to secure access and encryption of company data
• How the corporate data should be stored on personal devices
• How and when corporate data should be deleted from personal devices
• How the data should be transferred from the personal devices to the company servers.
System misconfigurations, poor patch management, use of default usernames and passwords. We all would like to think that hacking has simply evolved into a highly sophisticated process that is always keeping technologists on their toes. However, that is not the case and according to the Gartner Group, 99% of firewall breaches through 2020 are going to be due to human error and misconfiguration.
How could this be? Configuration of a firewall can be a very difficult and time consuming process, and the difference between being properly configured and misconfigured could be as simple as a missed period or misspelling simple mistakes that open things up to the outside world. In 2015 it was a misconfigured router that grounded 90 United Airlines flights for more than 2 hours. An AlgoSec State of Automation survey found that 20% of organizations had a security breach, 48% had an application outage and 42% had a network outage due to errors in a manual security related processes.
According to Info Security there are some steps you can take to minimize the human error factor during security change processes:
1) A request for a change is made. One of the biggest complaints is that it takes too long to make a requested change. This is one area where taking your time is well worth it. Make sure that you understand the change. Make sure that you understand the risks prior to implementation.
2) Planning for the change. Make sure that your team has a full understanding of your infrastructure. Making a change in one area may open up holes in another.
3) Understand the risks. Make sure that all potentially exposed areas are reviewed. What may seem like a simple change could affect applications, open up inward and outward traffic or expose other parts of the network.
4) Making the change. Make sure that someone who knows the firewall rules and configurations makes the changes, should it be added to the existing rule or should it be its own rule or abandon all together.
5) The change is validated. Make sure that you test your change and the rules in totality. Again, the difference between properly configured and misconfigured could be very small.
6) Documentation. Make sure that the change was clearly and completely documented.
Poor security policies written and automated. Having strong written policies are key to the overall success of any security initiative and awareness training. If you do not have policies, what are you going to train on and enforce? In addition, without strong policies, you open your company up to interpretation of existing policies. Worse yet, without a policy a legal argument could be made that if you do not say we cannot do it, then we can - but then legally where does the liability for misdeeds done lay? What are some of the things you should cover in your security awareness training policy?
• Acceptable use policy for electronic communications
• Confidential data policy
• Email policy
• Mobile device policy
• Incident response policy
• Network security policy
• Password policy
• Physical security policy
• Wireless network and guest access policy
The power of social engineering is staggering and the risk and exposure to your corporate systems is extremely high. In a study performed by Carnegie Mellon University, they found that people were willing to be convinced to download and install a program on their computers for as little as $1. The research showed that for the promise of payment of $1 that 67% of people were willing to download the program and 63% were willing to actually run the program. Security attacks are increasingly dependent on human interaction in order to achieve their goals, so accounting for the human factor within your security strategy and awareness is becoming even more critical in today’s corporate environment.
Scott Lewis is the President and CEO of Winning Technologies Group of Companies. The Winning Technologies Group of companies is an international technology management company. Scott has more than 30 years of experience in the technology industry, is a nationally recognized speaker on technology subjects such as Collocation, Security, CIO level Management, Data and Voice Communications and Best Practices related to the management of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279.
Submitted 6 years 233 days ago